Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Chapter Six — Privacy compliance

Contents

  1. Overview
  2. Responding to enquiries
  3. Complaints
  4. Determinations
  5. Own motion investigations
  6. Data breach notifications
  7. Case notes
  8. Data matching
  9. Audits
  10. Personal Information Digest

Overview

To ensure that privacy is valued and respected in Australia, the Office of the Australian Information Commissioner (OAIC) undertakes a wide range of compliance activities. These include running a telephone and written enquiry service, investigating and resolving individual complaints, conducting audits and data-matching inspections, conducting own motion investigations (OMIs) and receiving and reviewing data breach notifications (DBNs).

In 2011–12, the Compliance Branch received 1357 complaints, an increase of 11% over the 1222 received in 2010–11. In addition, the OAIC dealt with 37 OMIs and 46 voluntary DBNs.

The Compliance Branch undertook three audits in 2011–12. Work was also completed on high profile OMIs involving Telstra, Sony Computer Entertainment Australia Pty Ltd, First State Super and Professional Services Review.

When conducting an OMI the OAIC can gather information about a respondent’s privacy practices and work with that agency or organisation to resolve issues of non-compliance and improve their overall privacy practices.

The OAIC publishes case notes as an effective means of providing information about how matters are assessed and how the law applies to issues involving privacy. Fourteen case notes were published during 2011–12.

In addition, the Privacy Commissioner published six investigation reports about OMIs finalised in 2011–12.

Back to page contents | Back to report contents

Responding to enquiries

The OAIC’s enquiries line (1300 363 992) provides information about privacy issues and privacy law for the cost of a local call. The enquiries line answered 21,317 telephone enquiries in 2011–12, an increase of more than 3% over the number of calls received in the previous year. Of those telephone enquiries, 8976 specifically related to privacy and the protection of personal information. Other calls related to freedom of information (FOI), the role of the OAIC, privacy or FOI in other jurisdictions, or were administrative in nature.

Telephone enquiries

Most callers are individuals seeking information about their privacy rights and advice on how to resolve privacy complaints.

Table 6.1 below illustrates the top 10 types of caller who telephoned the enquiries line in 2011–12.

Table 6.1 Top 10 privacy caller types
Top 10 privacy caller typesTotal number of calls
Individual 7015
Business, professional associations and unions 399
Health service providers 226
Real estate agents 178
Australian Government 130
Personal services (including employment, child care, vets) 107
Legal, accounting and management services 103
Clubs, interest groups, theatres and sports 100
Finance (including superannuation) 79
Charities 76

Table 6.2 provides a breakdown of issues discussed in the calls received during 2011–12. Almost three quarters (72%) of the privacy-related calls were about the National Privacy Principles (NPPs). The most frequently discussed issue continued to be the use and disclosure of personal information by private sector organisations, followed by NPP exemptions, improper collection, access and correction and data security.

The number of privacy-related calls about credit reporting and the Information Privacy Principles (IPPs) were lower than in previous years.

Table 6.2 Breakdown of issues discussed in privacy calls received
IssuesTotal number of calls
NPP 1 — Collection 1231
NPP 2 — Use and disclosure 2220
NPP 3 — Data quality 252
NPP 4 — Data security 779
NPP 5 — Openness (privacy statement) 80
NPP 6 — Access and correction 1180
NPP 7 — Identifiers 6
NPP 8 — Anonymity 15
NPP 9 — Transborder data flows 54
NPP 10 — Sensitive information collection 35
Exemptions 1728
Credit reporting 680
Information Privacy Principles (public sector) 544
Spent convictions 126
Tax file numbers 23
Privacy codes 16
Data-matching 5
Personally controlled electronic health records 1
Personal Property Securities Register 1

Table 6.3 lists the 10 private sector industry groups that were most enquired about in NPP telephone enquiries. This pattern has been generally consistent for the last several years, although for the first time ‘online services’ has appeared in the ‘top ten’.

Table 6.3 Top 10 private sector industry groups enquired about
Private sector industry groupNumber of telephone enquiries
Health services providers 1072
Business, professional associations and unions 1054
Real estate agents 582
Finance (including superannuation) 548
Telecommunications 437
Retail 373
Personal services (including employment, child care and vets) 275
Online services 219
Insurance 208
Clubs, interest groups, theatres, sports and media 148

Some examples of calls received during 2011–12 appear below.

  • The caller had gone to a recruitment company to apply for a position. The recruitment company then went to the caller’s current employer and told them that the caller was leaving, and that the recruitment company had the perfect candidate for the caller’s position. The caller was provided advice on how NPP 2 (Use and disclosure) may apply in this instance. Specifically, this principle only permits an organisation to use and disclose personal information for the purpose for which it was collected, unless an exception to NPP 2.1 applies. The caller was given details on the OAIC’s complaints process as an option for resolution.
  • The caller had received a call from a debt collector asking the caller to identify themselves before the debt collector would disclose details of the debt. The caller refused and enquired about complaining to the OAIC, because the debt collector would not reveal the details of the debt. The OAIC advised the caller of NPP 4.1 (Data security) and an organisation’s obligation to take reasonable steps to protect personal information from such things as unauthorised access or disclosure.
  • A caller wanted to know if their organisation would be permitted to send a text message to customers who provided their mobile number as a contact, as a means of promoting the organisation’s goods and services. The caller was advised that NPP 2 (Use and disclosure) only permits organisations to use and disclose personal information for the same purpose of collection, unless an exception to NPP 2.1 applies, such as with an individual’s consent. The OAIC suggested the caller seek their customers’ consent, as a matter of good business practice, prior to contacting them via SMS.
  • The caller stated that their organisation is a mortgage broker that also offers property management services (such as leasing client properties). The caller enquired about the collection of credit worthiness information for the purpose of assessing rent or lease applications. The OAIC advised the caller that only credit providers and credit reporting agencies are permitted to collect or access credit files under the credit reporting provisions in the Privacy Act. The caller was advised that it is unlikely that their organisation would be permitted to use the personal information they collected as a ‘mortgage broker’ for its ‘real estate agent’ functions without consent. The OAIC also advised the caller that NPP 1 (Collection) requires an organisation only to collect personal information that is necessary and by lawful and fair means.
  • The caller had purchased a new phone some months ago from a telecommunications company, and opted to have the content from their old phone transferred to their new phone by the phone store. The caller later learned that the store kept this information on file, as it accidentally transferred all of the caller’s content to another person’s new phone. The OAIC advised the individual about NPP 2 (Use and disclosure) and NPP 4 (Data security), and an organisation’s obligations to take steps to protect personal information from unauthorised disclosure. The caller was provided with information on the OAIC’s complaints process.
  • A caller wanted to know what section of the Privacy Act would allow an organisation to obtain a copy of an individual’s credit file. The OAIC provided advice on s 11B of the Privacy Act, as well as the Commissioner’s determination on the Classes of Credit Providers. The caller was also advised to consider obtaining independent legal advice, as such information can only be collected by a credit provider or credit reporting agency.

Written enquiries

The OAIC responds to requests for information that are received by email, letter or fax. The OAIC received 2822 written enquiries in 2011–12, of which 1541 were privacy-related. The OAIC is committed to responding to 90% of written enquiries within 10 working days. This benchmark was not met in 2011–12, with 87% of privacy-related written enquiries responded to within 10 working days.

In 2011–12, 65% of privacy related written enquiries concerned the private sector provisions of the Privacy Act. This has remained consistent compared to 2010–11 (67%).

Back to page contents | Back to report contents

Complaints

The OAIC can investigate complaints about acts or practices that may be an interference with an individual’s privacy. These can include allegations that:

  • personal information has been collected, held, used or disclosed by an organisation in contravention of the NPPs
  • personal information has been handled by Australian, ACT and Norfolk Island Government agencies in a manner that does not comply with the IPPs
  • credit-worthiness information held by credit providers and credit reporting agencies has been mishandled
  • tax file numbers (TFNs) have been mishandled by individuals or organisations
  • personal information has not been managed in accordance with spent convictions, data matching or healthcare identifier legislation.

Complaints received during 2011–12

In 2011–12, the OAIC received a total of 1357 complaints relating to privacy, on a wide variety of issues.

The percentage of complaints received about each area of jurisdiction is given in Table 6.4. As has been the case since the OAIC’s role was extended to the private sector, the private sector continues to be the jurisdiction most commonly complained about, with more than half of all complaints relating to the NPPs. There was a small increase in complaints about credit reporting and a decrease in complaints where the OAIC found that it had no jurisdiction. The percentages in Table 6.4 may exceed 100% because a complaint may raise more than one issue.

The particular issues complained about as a percentage of total complaints received in 2011–12 are described in Table 6.5. Again, the percentages exceed 100% because a complaint may raise more than one issue.

Table 6.4 Percentage of complaints received by Privacy Act jurisdiction
JurisdictionNumber of complaints%
NPPs 788 58.11
Credit reporting 253 18.66
Not in jurisdiction 222 16.37
IPPs 131 9.66
TFN 7 0.52
Australian Capital Territory IPPs 2 0.14
Spent convictions 1 0.07
Approved privacy code 1 0.07
Individual Healthcare Identifier 1 0.07
Table 6.5 Key issues in complaints
IssuesNumber of complaints%
NPP 2 — Use and disclosure 401 29.57
Credit reporting 307 22.64
Not in jurisdiction 223 16.44
NPP 4 — Data security 207 15.27
NPP 1 — Collection 201 14.82
NPP 6 — Access and correction 192 14.16
IPP 10 and 11 — Use and disclosure 110 8.11
NPP 3 — Data quality 96 7.08
IPP 1 — Collection 41 3.02
IPP 4 — Data security 28 2.06
Other NPPs 24 1.77
IPP 6 and 7 — Access and correction 20 1.47
IPP 8 — Accuracy 15 1.11
TFN 7 0.52
Spent convictions 1 0.07
Individual Healthcare Identifiers 1 0.07

The most commonly complained about issues in both NPP and IPP complaints were use and disclosure, followed by data security and improper collection. Complaints received about credit reporting increased by 3.14% from the previous financial year. There was a small decrease in complaints over which the OAIC has no jurisdiction.

Table 6.6 shows the number of complaints made about each of the 10 most commonly complained about industry sectors. The finance sector continued to be the most frequently complained about industry. Following a decrease last year, the debt collector and credit reporting agency sector rose from the third to the second most commonly complained about sector. Complaints about health service providers also increased, and complaints about online services entered the 10 most complained about sectors for the first time.

Table 6.6 Ten most commonly complained about sectors
SectorNumber of complaints
Finance (including superannuation) 187
Debt collection, credit and tenancy databases 161
Australian Government 141
Health service providers 135
Telecommunications 127
Online services 98
Personal services (including employment, child care, vets) 63
Retail 54
Real estate agents 47
Utilities 42

Most complained about organisations and agencies

Table 6.7 lists the most complained about organisations and agencies.

Many of these organisations and agencies carry out high numbers of transactions involving personal information, and the number of complaints may represent only a small percentage of those transactions.

The fact that an organisation or agency has been the subject of a complaint does not necessarily mean that the organisation or agency has been found to be in breach of the Privacy Act.

Table 6.7 Most complained about organisations and agencies
OrganisationNumber of complaints received
Veda Advantage Information Services and Solutions Ltd 102
Department of Human Services 64
Telstra Corporation Limited 55
Commonwealth Bank of Australia Limited 22
Singtel Optus Pty Ltd 22
ANZ Bank Limited 16
Vodafone Hutchison Australia Pty Limited 15
Westpac Banking Corporation Ltd 14
Australia Post 14
Origin Energy 14

Complaints closed during 2011–12

In 2011–12, the OAIC closed 1383 complaints, which was an increase of approximately 18% on the number closed in 2010–11.

One of the OAIC’s deliverables (see Chapter 2) is to finalise 80% of all privacy complaints within 12 months of receipt. In 2011–12, 89.7% were finalised within 12 months. In 2011–12, complaints were closed in an average of 4.4 months, which is a slight decline from the previous financial year (average of 4 months).

The OAIC can investigate acts or practices that may be a breach of privacy. Where appropriate, an attempt will be made to resolve a complaint through conciliation.

If the OAIC is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, it may decide not to investigate the matter any further. Otherwise, the Commissioner may make a determination about a complaint under s 52 of the Privacy Act.

The OAIC investigated or carried out preliminary inquiries on a higher percentage of complaints than it did in 2010–11. Fewer complaints were declined at the outset.

Table 6.8 provides more information about the stage at which complaints were closed.

Table 6.8 Stage at which complaints were closed
Stage closedNumber of complaintsPercentage
Without investigation 710 51.3%
Preliminary inquiries 510 36.9%
Investigation 163 11.8%
Total 1383  

Complaints closed without investigation

In 2011–12, the OAIC closed 51.3% of complaints by exercising a discretion not to investigate a complaint, or not to make preliminary inquiries.

The most common reasons for closing complaints without investigation were:

  • there was no interference with privacy (s 41(1)(a))
  • the complaint was not a privacy complaint because it was not about the individual complaining, did not specify a respondent or was not about privacy (s 36)
  • the complaint had not been raised with the respondent before being brought to the OAIC (s 40(1A))
  • the complainant had not given the respondent sufficient time to deal with the complaint (s 41(2)(b)).

Table 6.9 shows, in more detail, the reasons why these complaints were closed without investigation. Complaints can have more than one jurisdiction issue. The number of jurisdictional issues exceeds the number of complaints closed without investigation because a complaint may raise more than one issue.

Table 6.9 Reasons for closing complaints without investigation or preliminary inquiries
Reasons for closing complaintJurisdiction
NPPsIPPsCredit reportingTFNSpent convictionsNoneTotal
Not the privacy of the complainant or no respondent specified, no jurisdiction — s 36 62 7 5 3 0 158 235
No interference with privacy — s 41(1)(a) 118 28 48 0 0 15 209
Complaint not raised with respondent — s 40(1A) 64 11 34 1 0 3 113
Aware of alleged breach for more than 12 months — s 41(1)(c) 17 2 4 0 0 0 23
Frivolous, vexatious, misconceived, lacks substance — s 41(1)(d) 7 3 3 0 0 0 13
Dealt with under another law — s 41(1)(e) 3 3 1 0 0 0 7
Another law is more appropriate — s 41(1)(f) 6 3 1 0 0 2 12
Respondent has adequately dealt with the matter — s 41(2)(a) 25 5 7 0 0 0 37
Respondent has not had opportunity to deal with complaint — s 41(2)(b) 39 8 13 0 1 0 61
Other (for example, withdrawn) 7 1 2 0 0 2 12
Total 348 71 118 4 1 180 722

Complaints closed after an investigation

In 2011–12, the OAIC closed 11.8% of complaints following an investigation under s 40(1) of the Privacy Act.

Table 6.10 shows the reasons for closing a complaint following an investigation. The number of jurisdictional issues exceeds the number of investigations closed because a complaint may raise more than one issue.

Table 6.10 Reasons for declining to investigate complaints further after an investigation
Reasons for closing following investigationJurisdiction
NPPsIPPsCredit reportingTotal
No interference with privacy — s 41(1)(a) 46 12 8 66
Respondent has adequately dealt with the complaint — s 41(2)(a) 57 11 17 85
Determination made by the Privacy Commissioner — s 52 1 0 0 1
Other (for example withdrawn or being dealt with under another law) 9 2 3 14
Total 113 25 28 166

The OAIC tried where possible to resolve cases through conciliation at an early stage of investigation. Respondents took steps to resolve the complaint in just over 50% of cases. Approximately 60% of credit reporting complaints were also resolved through conciliation.

The remedies that were accepted by agencies and organisations after an investigation proceeded to conciliation included:

  • apologising to the complainant
  • training and counselling staff
  • amending database systems and records
  • changing internal procedures
  • providing the complainant with access to records
  • paying compensation to the complainant.

Nature of remedies achieved by conciliation after an investigation

Table 6.11 provides more detail on the outcome of complaints that were closed on the basis that they had been adequately dealt with by the respondent after an investigation by the OAIC under s 40(1) of the Privacy Act. More than one remedy may have been reached for a particular complaint. Therefore, the total listed in Table 6.11 is not equal to the total number of complaints.

Table 6.11 Remedies for complaints closed after an investigation as adequately dealt with by respondent
RemedyJurisdiction
NPPsIPPsCredit reportingTotal
Access provided 10 0 1 11
Apology 23 8 4 35
Changed procedures 10 4 0 14
Counselled staff 6 1 0 7
Other remedy 16 3 3 22
Record amended 9 0 8 17
Staff training 3 3 0 6
Compensation (unknown $) 0 1 0 1
Up to $1000 8 2 2 12
$1001 to $5000 9 0 5 14
$5001 to $10,000 1 0 0 1
Over $10,001 0 1 0 1
Total 95 23 23 141

An apology to the complainant is the most common remedy, followed by compensation. There has been an increase in the number of matters where compensation formed part of the remedy in 2011–12, compared to 2010–11.

Complaints closed following preliminary inquiries

The Privacy Act authorises the OAIC to conduct preliminary inquiries to determine whether to investigate a complaint or exercise the discretion not to investigate a matter further. For instance, a preliminary inquiry may seek to determine:

  • whether an agency or organisation is willing to provide access to records
  • if a particular act or practice is authorised by law
  • whether an organisation may claim the small business operator exemption
  • whether a respondent is an agency or organisation that is subject to the Privacy Act.

In 2011–12, the OAIC closed 36.9% of complaints after making preliminary inquiries. Table 6.12 provides more detail on the basis for closing complaints following preliminary inquiries. The number of jurisdictional issues exceeds the number of preliminary inquiries closed because a complaint may raise more than one issue.

Table 6.12 Reasons for closing complaints after making preliminary inquiries
ReasonsJurisdiction
NPPsIPPsCredit reportingNoneTFNTotal
Not the privacy of the complainant or no respondent specified — s 36 11 0 1 0 0 12
No interference with privacy — s 41(1)(a) 195 34 49 10 1 289
Complaint not raised with respondent — s 40(1A) 3 0 2 1 0 6
Frivolous, vexatious, misconceived, lacks substance — s 41(1)(d) 4 1 1 0 0 6
Currently investigated under other Commonwealth or State Act — s 41(1)(e) 4 0 0 0 0 4
Respondent has adequately dealt with the matter — s 41(2)(a) 103 12 30 1 1 147
Respondent has not had an opportunity to deal with the complaint — s 41(2)(b) 3 0 4 0 0 7
Other (for example withdrawn) 45 7 27 1 0 80
Total 368 54 114 13 2 551

The most common reason for closing a complaint after preliminary inquiries continued to be a finding that the individual’s privacy had not been interfered with, which was the finding in just over 52% of the complaints.

Nature of remedies achieved following preliminary inquiries

In conducting preliminary inquiries the OAIC may find that the respondent has adequately dealt with the matter, or may be able to resolve the complaint through conciliation. Table 6.13 gives further detail about the types of remedies achieved following preliminary inquiries. More than one remedy may have been achieved for a particular complaint, meaning the total listed in Table 6.13 does not equal the total number of complaints.

Table 6.13 Remedies for complaints closed as adequately dealt with after preliminary inquiries
RemedyJurisdiction
NPPsIPPsCredit reportingTotal
Access provided 41 2 1 44
Apology 22 8 4 34
Changed procedures 12 2 2 16
Compensation (unknown $) 1 0 0 1
Up to $1000 14 2 1 17
$1001 to $5000 3 0 5 8
$5001 to $10,000 2 0 1 3
Over $10,001 0 0 0 0
Confidential settlement 0 1 0 1
Counselled staff 2 0 0 2
Other remedy 18 3 4 25
Record amended 19 1 21 41
Staff training 8 2 0 10
Total 142 21 39 202

Giving a complainant access to their records was the most common remedy after preliminary inquiries, followed by amendment to records and apologies. Compensation was paid in just over 14% of complaints resolved at the preliminary inquiries stage.

Complaints under approved codes

The Privacy Act allows for organisations or groups of organisations to develop privacy codes. A code approved by the Information Commissioner replaces the NPPs as the legally enforceable privacy standards for those organisations. At 30 June 2012, there were two approved privacy codes in force (see Table 6.14). There were no complaints handled by the OAIC under any of the approved codes in 2011–12.

The Biometrics Institute Privacy Code was revoked by the Privacy Commissioner in April 2012. More information on this revocation can be found in Chapter 7.

Table 6.14 Approved privacy codes
Code titleCode adjudicatorMonitoring and reporting responsibilityDate came into effect
Queensland Club Industry Privacy Code Australian Information Commissioner Clubs Queensland and the Information Commissioner 23 August 2002
Market and Social Research Privacy Code Australian Information Commissioner Association of Market and Social Research Organisations and the Information Commissioner 1 September 2003

The Information Commissioner is the code adjudicator for each of the codes listed above. A register of approved codes can be found on the OAIC’s website at www.oaic.gov.au.

Back to page contents | Back to report contents

Determinations

The OAIC made one determination in 2011–12. A determination is a legal decision or finding made by a Commissioner, where conciliation has not resolved the matter. In this matter, the Privacy Commissioner declared that: the respondent apologise in writing to the complainant, review its staff training regarding the handling of personal information, advise the Privacy Commissioner of the outcome of the training review, and pay the complainant $7500. Further details of the determination, ‘D’ and Wentworthville Leagues Club, can be found on the OAIC’s website.

Back to page contents | Back to report contents

Own motion investigations

Section 40(2) of the Privacy Act enables the Information Commissioner to investigate a possible interference with privacy without first receiving a complaint from an individual, if the Information Commissioner considers an investigation to be desirable. These investigations are called own motion investigations (OMIs).

During 2011–12, 37 new matters involving alleged interferences with privacy were assessed for investigation as OMIs. These matters came to the OAIC’s attention from a variety of sources including telephone calls to the enquiries line, emails and letters from individuals, and systemic issues identified through complaints or as a result of media coverage.

The OAIC uses its own risk assessment criteria to determine whether to investigate a matter on its own motion. These criteria include:

  • the number of people affected and the possible consequences for those individuals
  • the sensitivity of the personal information involved
  • the progress of an agency’s or organisation’s own investigation into the matter and consideration of the actions taken by the entity in response
  • the likelihood that the investigation will reveal acts or practices that involve systemic interferences with privacy and/or that are unidentified.

Table 6.15 shows a breakdown of the most common issues that arose in OMIs in 2011–12. Overwhelmingly, the main compliance issues were related to data security and improper use and disclosure of personal information. It is often the case that these issues go hand in hand. That is, if organisations and agencies fail to have appropriate data security measures in place, this deficiency can result in personal information being improperly used or disclosed.

Examples of allegations raised in OMIs opened in 2011–12 included that:

  • an association was publishing a ‘blacklist’ of ‘unfinancial’ members on its website that was publicly accessible
  • the personal information of customers was publicly accessible on the internet
  • system vulnerabilities resulted in hacking incidents which led to information about customers, including financial information, being stolen
  • an agency failed to ensure appropriate security access controls were in place to prevent unauthorised persons gaining access to confidential material held in a database.
Table 6.15 Issues in own motion investigations opened in 2011–12
IssuesNumber of investigations
Credit provider — accuracy (s 18G(a)) 1
Credit provider — disclosure (s 18N(1)) 2
IPP 4 — inadequate security measures 2
IPP 8 — failed to check accuracy 1
IPP 9 — used irrelevant information 1
IPP 10 — used for different purpose 1
IPP 11 — disclosed information 2
NPP 1.1 — unnecessary collection 3
NPP 1.3 — insufficient notice 2
NPP 2.1 — improper use or disclosure 19
NPP 3 — data quality issues 2
NPP 4 — data security issues 28
NPP 10 — sensitive information collection 1
TFN — use 1
Total 66

A number of issues that came to the attention of the OAIC in 2011–12 were matters of significant public concern. To promote community confidence and also to increase the transparency of its compliance activities, the OAIC commenced the publication of reports of investigations into high profile matters or where there was a public interest in doing so. The OAIC published six OMI reports in 2011–12 that are available on the OAIC’s website. The OAIC intends to continue to publish investigation reports, where appropriate.

Back to page contents | Back to report contents

Data breach notifications

A data breach notification (DBN) occurs when an organisation or agency informs the OAIC that personal information in its possession or control has been subject to loss or unauthorised access, use, disclosure, copying or modification. In 2011–12, the OAIC received 46 DBNs, an 18% decrease from the number of DBNs received in 2010–11.

While there is no specific obligation in the Privacy Act for agencies or organisations to report data breaches to the OAIC, many agencies and organisations do so as good privacy practice. The OAIC directs agencies and organisations to apply the advice set out in the OAIC guide, Data breach notification: A guide to handling personal information security breaches, when responding to a data breach.

The Guide includes information about when to report a data breach to the OAIC or affected individuals. It outlines four steps to consider when responding to a breach or suspected breach and also outlines preventative measures that should be taken as part of a comprehensive information security plan.

Reporting a DBN to the OAIC and taking follow-up action can help agencies and organisations to ensure they meet their obligations under the Privacy Act and particularly IPP 4, NPP 4 and Part IIIA of the Privacy Act. The nature of DBNs mean that the OAIC’s investigation of these incidents primarily focuses on the data security measures agencies and organisations had in place when the incident occurred and the steps taken to improve such practices as a result of a DBN.

The OAIC assesses each DBN to assess if further action is required by the agency or organisation to appropriately respond to the breach. The OAIC may take no further action if the agency or organisation has contained the breach by recovering the information or has taken steps that mitigate further impact on individuals affected by the breach, such as notifying relevant authorities and individuals and taking steps to review and improve data security practices. Where the OAIC considers that inadequate steps have been taken or the agency or organisation is still assessing the source and impact of the breach and the overall response that is required, it will work with the entity to assist it to apply best privacy practice. In cases where the OAIC is not satisfied with the voluntary action taken by the agency or organisation to resolve the matter, it will open an OMI.

Issues in data breach notifications

Incidents reported to the OAIC through DBNs in 2011–12 included that:

  • batch emails containing personal information were sent to clients using the ‘to’ field rather than the ‘bcc’ field
  • theft of an unsecured bag containing job applications
  • a database containing customers’ personal information was hacked
  • a system error occurred allowing customers to access other customers’ account and contact details
  • a mail merge error resulted in members receiving the personal information of other members.

Typically, the actions taken by entities in response to a DBN include system reviews and alterations, written notifications to affected individuals, apologies, retrieval of records, changes in standard operating procedures and staff training.

Back to page contents | Back to report contents

Case notes

The OAIC publishes case notes describing, in de-identified form, the issues and outcomes of selected complaints and investigations. The purpose of these case notes is to provide an insight into how the NPPs or IPPs are being applied. This can:

  • assist individuals, organisations and agencies to decide whether to pursue a complaint, or if personal information is being handled appropriately
  • encourage good privacy practices and compliance with the Privacy Act
  • demonstrate accountability and transparency in the OAIC’s processes and decision making.

In 2011–12, the OAIC published 14 case notes about complaints under the NPPs, IPPs and other areas of the Privacy Act. The case notes can be accessed on the OAIC website.

Back to page contents | Back to report contents

Data matching

Monitoring government data matching

Data matching is the process of bringing together large data sets of personal information from different sources and comparing them to identify any discrepancies. For example, the Australian Taxation Office (ATO) may undertake a data-match to identify retailers that may be operating outside the tax system or who may be under reporting turnover. This may include identifying individuals.

The process involves analysing information about large numbers of people, the majority of whom are not under suspicion. This means that data matching raises privacy issues. To ensure that government agencies have proper regard to privacy principles when undertaking data matching, the OAIC performs a number of functions.

The Information Commissioner has statutory responsibilities under the Data-matching Program (Assistance and Tax) Act 1990 (the Data-matching Act) and the Guidelines for the Conduct of the Data-matching Program (the statutory data-matching guidelines). Additionally, the Information Commissioner oversees the functioning of the Guidelines for the use of data matching in Commonwealth administration, which are voluntary guidelines to assist agencies not subject to the Data-matching Act to perform data-matching programs in a privacy sensitive way.

Matching under the Data-matching Act and statutory data-matching guidelines

To detect overpayments, taxation non-compliance and the receipt of duplicate payments, the Data-matching Act provides for the use of tax file numbers in data-matching processes undertaken by a special unit within Centrelink (the data-matching agency). The data-matching agency runs matches on behalf of Centrelink, the Department of Veterans’ Affairs (DVA) and the ATO.

The Data-matching Act and the statutory data-matching guidelines outline the type of personal information that can be used, and how it can be processed. They also provide individuals with the opportunity to dispute or explain any matches, and require that individuals have means for redress.

The Data-matching Act requires Centrelink, DVA and the ATO to report to Parliament on the results of any data-matching activities carried out under the Act. These reports are published separately by each agency.

The Data-matching Act also provides that the Information Commissioner is responsible for monitoring the functioning of the statutory data-matching program. The OAIC discharges this function by running data-matching inspections.

Inspections

During 2011–12, the OAIC inspected Centrelink’s handling of a sample of data-matching cases at three regional Business Integrity Sites. The regions inspected were:

  • Centrelink, Area Brisbane West, Queensland (Brisbane), August 2011
  • Centrelink, Area Melbourne West, Victoria (Bendigo), October 2011
  • Centrelink, Area Melbourne East, Victoria (Rowville), March 2012.

Representatives of the OAIC, with the assistance of Centrelink and regional staff, conducted inspections and reviewed a sample (usually 100) of customer records which have been through the data-matching process.

The OAIC found that Centrelink’s processes and procedures for statutory data-matching were compliant with the requirements of the Data-matching Act. Additionally, the area offices’ procedures were also assessed as being generally compliant with the requirements of the Privacy Act in the handling of this information.

Own motion investigation — Telstra Corporation Limited

On 12 December 2011, the Privacy Commissioner opened an own motion investigation in response to allegations that Telstra Corporation Limited had breached customer privacy by making its web-based customer management tool (the Visibility Tool) publicly available on its website. The Visibility Tool is used to track orders for bundled products.

The Privacy Commissioner received information which indicated that customers’ personal information was accessible online. The personal information included names, phone numbers, service holdings and order numbers, as well as a free text field where consultants could write a customer’s username and password, or email or online bill account reference.

The Privacy Commissioner’s investigation focused on whether Telstra’s handling of the personal information it held in the Visibility Tool was consistent with the National Privacy Principles (NPP) contained in Schedule 3 of the Privacy Act. These principles include requirements about when personal information may be disclosed (NPP 2), and what security measures must be in place to protect the personal information (NPP 4).

The Privacy Commissioner took the view that the incident amounted to an unauthorised disclosure of customers’ personal information by Telstra, and therefore breached NPP 2.

The Privacy Commissioner also concluded that at the time of the incident, Telstra did not have adequate security measures in place to protect the personal information it held in the Visibility Tool from misuse and loss and from unauthorised access, modification or disclosure, resulting in a breach of NPP 4.

The full investigation report can be found on the OAIC website.

Matching under the Guidelines for the use of data matching in Commonwealth administration

Many Australian Government agencies also carry out data-matching activities that are not subject to the Data-matching Act, but are run under different laws authorising the use and disclosure of personal information for data-matching purposes. To assist agencies performing such data-matching activities to have proper regard to the privacy of individuals, the Information Commissioner has issued voluntary data-matching guidelines called the Guidelines for the use of data matching in Commonwealth administration.

These voluntary guidelines require that programs are regularly monitored and evaluated, that individuals identified have the opportunity to dispute the results, and that action against individuals is not taken solely on the basis of automated processes.

Agencies are also required to prepare a description of the data-matching activity (a ‘program protocol’). Before the activity is commenced, the program protocol should be submitted to the Information Commissioner for comment, and once it has been finalised, the program protocol should be made available to the public.

In 2011–12, the Information Commissioner received 16 program protocols for proposed non-statutory data-matching activities. A summary of these protocols is outlined in Table 6.16.

Table 6.16 Program protocols produced under the voluntary data-matching guidelines
Matching agencySource agenciesName of the program protocolDescription of the program protocolDate received
Australian Taxation Office (ATO) Centrelink Temporary Flood Cyclone Reconstruction Levy To identify individuals who are exempt from paying the flood levy, and ensure they are not included in any future compliance activity July 2011
ComSuper Victorian Registry of Births Deaths and Marriages Enquiries only No protocol proceeded July 2011
Department of Climate Change and Energy Efficiency (DCCEE) Department of Climate Change and Energy Efficiency (DCCEE); Department of Broadband, Communications and Digital Economy (DBCDE) Matching information from DCCEE’s Home Insulation Program with information of participants in DBCDE’s Digital Switchover Household Assistance Scheme (HAS) The objective of the program is to make certain all households that have received home insulation are safety tested to ensure the safety of HAS service contractors who enter roof spaces where foil insulation has been installed August 2011
Australian Taxation Office (ATO) Department of Human Services (Centrelink) Education Tax Refund data matching protocol Data-matching of Family tax benefit part A data from Centrelink against the ATO’s taxpayer records September 2011
Australian Taxation Office (ATO) Law Society of the ACT, ACT Bar Association, The Law Society Northern Territory, The Northern Territory Bar Association, The Law Society of New South Wales, The New South Wales Bar Association, Legal Services Commissioner and Legal Practice Board of Victoria, Queensland Law Society Incorporated, Bar Association of Queensland, Legal Practice Board of Western Australia, Legal Practitioners’ Registrar of South Australia, Law Society of Tasmania, and The Bar Association of Tasmania Legal Profession Data Matching Protocol Matching of ATO taxpayer records with personal information obtained from the states and territories legal registering authorities for legal professional practitioners (barristers and solicitors) October 2011
Australian Taxation Office (ATO) State WorkCover Authorities WorkCover Data-Matching Project The protocol is for a proposed matching of ATO taxpayer records with employer data from state and territory WorkCover Authorities October 2011
Australian Taxation Office (ATO) Department of Immigration and Citizenship (DIAC) DIAC/ATO Temporary Visa Data Matching Project Data-matching to fill gaps in the original data, including data pertaining to some additional temporary visa holders subclasses which have working rights in Australia (and have the potential for deriving Australian-sourced income) October 2011
Australian Taxation Office (ATO) Department of Human Services (Centrelink) Dependant Spouse Tax Offset Data Matching Project To improve compliance with taxation obligations of taxpayers claiming the dependant spouse tax offset October 2011
Australian Taxation Office (ATO) Various insurance companies Data Matching Protocol — Marine Insurance ATO Matching of data provided by various insurance companies to assist in identifying taxpayers whose net wealth is such that their affairs should be reviewed under the highly wealthy individuals or wealthy Australians programs October 2011
Australian Taxation Office (ATO) Roads and Traffic Authority NSW, Queensland Transport, Vic Roads, Department of Infrastructure, Energy and Resources (Tas), Department for Transport, Energy and Infrastructure (Transport SA), Department for Planning and Infrastructure (WA), Northern Territory Department of Planning and Infrastructure (Transport Division), and ACT Road Transport Authority, Road User Services, Urban Services Motor Vehicle Data Matching Project Matching of data provided by various state and territory motor vehicle registering bodies against the ATO’s taxpayer records, with a view to identifying individuals and businesses which may not be meeting their tax-related registration, reporting, lodgement and payment obligations November 2011
Australian Taxation Office (ATO) eBay.com.au Quicksales.com.au Graysonline.com Data Matching Protocol—Online Selling To identify members of online selling sites who are involved in selling goods and services of a total value of $20,000 or greater p.a. November 2011
Australian Taxation Office (ATO) Various banks and credit card providers Credit and Debit Card Data Matching Project Data matching of ATO taxpayer records with data provided by financial institutions in relation to businesses with credit card and debit card sales November 2011
Australian Taxation Office (ATO) Various coffee suppliers Coffee suppliers Data Matching Protocol Match coffee supplier data against the ATO’s taxpayer records in order to identify and address any potential non-compliance with taxation obligations in the coffee industry January 2012
Australian Taxation Office (ATO) NSW Department of Fair Trading, Queensland Building Services Authority, Government of SA Consumer and Business Services Wesfarmers Limited (Bunnings Group Limited) Building Industry Data Matching Protocol Match building industry data against the ATO’s taxpayer records in order to identify and address any potential non-compliance with taxation obligations in the building industry January 2012
Australian Taxation Office (ATO) Link Market Services Limited, Computershare Limited, Australian Securities Exchange Limited, Boardroom Pty Ltd, Advanced Share Registry Services Pty Ltd, Security Transfer Registrars Pty Ltd Share Transactions Data Matching Program Protocol Renew the Share Transactions Data matching Program previously gazetted on 23 April 2008. Ongoing program that matches share data against the ATO’s taxpayer records in order to improve compliance capability in relation to capital gains tax on the disposal of shares February 2012
Department of Human Services eBay Inc. Data Matching Protocol — the eBay Project Match data with eBay to identify individuals who may not be declaring income earned through online trade February 2012

Back to page contents | Back to report contents

Audits

Under the Privacy Act the Information Commissioner has the power to conduct privacy audits of Australian and ACT Government agencies, as well as some other organisations in certain circumstances. These audits help to determine and improve the level of compliance with the Privacy Act. The OAIC conducts audits to promote best privacy practice and to reduce privacy risks across agencies. The Information Commissioner’s audit powers include:

  • auditing agency compliance with the Information Privacy Principles — s 27(1)(h)
  • examining the records of the Commissioner of Taxation in relation to tax file numbers (TFNs) and TFN information — s 28(1)(d)
  • auditing TFN recipients — s 28(1)(e)
  • auditing credit information files and credit reports held by credit reporting agencies and credit providers — s 28A(1)(g).

Other than audits conducted by using the above powers, the Information Commissioner may only audit a private sector organisation if the organisation requests this under s 27(3) of the Privacy Act.

In 2011–12, the OAIC conducted three audits under memorandums of understanding.

An audit is a snapshot of personal information handling practices relating to the audited entity at a particular time and place. Audited entities are encouraged to consider audit findings broadly, and recognise that the issues identified may foster improvements beyond the audited program alone.

The OAIC’s audit teams emphasise that an audit is an educative process and compliance with the Privacy Act is part of good management practice. Audits have been the catalyst for improvements to agencies’ data security, accuracy of information, staff training and disclosure policies.

The OAIC is progressively uploading finalised audit reports to its website.

Credit audits

In June 2012, the OAIC finalised an audit into Veda Advantage which looked at complaint handling, the cross-referencing of files and security issues. This audit was commenced in April 2010.

ACT government audits

The OAIC currently has a Memorandum of Understanding with the ACT Government (see Appendix 5 for further information) which includes a commitment by the OAIC to conduct one audit of an ACT Government agency per financial year. The OAIC selects audit targets based on a risk assessment analysis which takes into account previous audits and audit findings, complaints against ACT Government agencies, the amount of personal information held by an agency and the sensitivity of, and risk to, that information.

Table 6.17 shows details of the ACT Government audits commenced and/or finalised by the OAIC in 2011–12, including two that were commenced in 2010–11.

Table 6.17 ACT Government audits commenced and/or finalised in 2011–12
AgencyAudit scopeDate commencedDate finalised
ACT Department of Territory and Municipal Services (TAMS) — MyWay business unit The ‘MYWay’ Travel Card (MWTC) program was introduced to the ACT public in March 2011. The audit examined the processes of the MYWay business unit and related third party agents regarding the handling of personal information collected as part of the MWTC registration process January 2012 In progress
Australian Federal Police — ACT Policing branch Number plate recognition (NPR) technology known as RAPID (Recognition and Analysis of Plates Identified) September 2010 21 July 2011
Office for Children, Youth and Family Support (Care and Protection Services) The audit examined the processes of Care and Protection Services for handling client personal information, including the collection, storage and security, quality, use and disclosure of this information November 2010 6 July 2011

The OAIC found that these agencies were generally compliant with their obligations under the IPPs. Audit recommendations included improving notification procedures to ensure compliance with IPP 2 and developing and implementing a data destruction policy in keeping with IPP 4.

Identity security audits

The OAIC provided privacy advice to key agencies about projects delivered under the Australian Government’s National Identity Security Strategy (NISS). One project under the NISS related to the National Document Verification Service (DVS).

The DVS system allows authorised government agencies to verify, online and in real time, the authenticity of an individual’s Evidence of Identity (EOI) documents sourced from another government agency, when enrolling for benefits and services. Agencies using the DVS are able to verify that:

  • the EOI document was issued by the relevant source government agency
  • details recorded on the EOI document correspond to the details held by the source government agency
  • the document is still valid.

Lead responsibility for the development of the DVS rests with the Attorney-General’s Department. In 2011–12, planned audits of DVS were deferred and, instead, additional policy advice was provided. The Department of Foreign Affairs and Trade DVS audit, that commenced in November 2010, is still in progress.

Australian Customs and Border Protection audits

The OAIC currently has a Memorandum of Understanding with the Australian Customs and Border Protection Service (Customs) (see Appendix 5 for further information) to provide ongoing policy advice and conduct up to two audits per financial year of various aspects of Customs’ Use of Passenger Name Record (PNR) data.

Table 6.18 Customs PNR Data audits commenced and/or finalised in 2011–12
LocationAudit scopeDate commencedDate finalised
Brisbane and Gold Coast international airport arrivals terminals Review of Customs’ handling of PNR data November 2011 In progress

The OAIC audit teams found that Customs’ handling of personal information was generally compliant with the Privacy Act. Where appropriate, the OAIC audit teams have made best privacy practice recommendations. The OAIC does not publish all Customs PNR audit reports on the OAIC website as some reports contain information that may affect operational security of Customs.

Healthcare Identifier audits

The Healthcare Identifiers Act 2010 (the HI Act) established the Healthcare Identifier Service (HI Service), which commenced on 1 July 2010. The HI Service is part of Medicare.

The functions of the HI Service are:

  • to assign and issue individual healthcare identifiers (IHIs) for all individuals who have, are or will be provided with healthcare and to healthcare providers (HPI-Is) and healthcare provider organisations (HPI-Os)
  • allow those authorised to access the HI Service to retrieve healthcare identifiers
  • keep the information associated with healthcare identifiers up to date and accurate, including deactivating or retiring health identifiers when they are no longer needed.

Under s 29(3) of the HI Act, the Information Commissioner has the power to audit the handling of healthcare identifiers assigned to individuals and individual healthcare providers.

The OAIC received funding in 2011–12 under an Exchange of Letters agreement with the Department of Health and Ageing to undertake up to two healthcare identifier audits as well provide policy advice and other compliance activities. See Appendix 5 for further information about healthcare identifiers and the Exchange of Letters agreement.

Table 6.19 Healthcare identifier audits commenced and/or finalised in 2011–12
AgencyAudit scopeDate commencedDate finalised
Medicare Australia The process for assigning IHIs, policies and procedures governing the handling of IHIs, particularly to ensure compliance with data security, accuracy and reporting requirements September 2010 July 2011
Medicare Australia The collection, storage and security, quality, use and disclosure of HPI-Is in keeping with the HI Service Operator’s obligations under the Privacy Act June 2011 In progress

Back to page contents | Back to report contents

Personal Information Digest

To help people understand what personal information is held by each Australian and ACT government agency, IPP 5.3 in s 14 of the Privacy Act requires agencies to keep a record detailing:

  • the nature of records kept
  • the purpose for which these records are kept
  • the categories of people the information is about
  • the period for which the records are kept
  • who has access to the records
  • the steps an individual needs to take to gain access to the records.

These explanatory records must be provided to the OAIC in June of each year, and are subsequently compiled and published as the Personal Information Digest.

The ACT Department of Justice and Community Safety (JACS) compiled the ACT Personal Information Digest and the final documents were published on the JACS website. The OAIC published the Personal Information Digest for Australian Government agencies for the period ending June 2012 on its website at www.oaic.gov.au.

Back to page contents | Back to report contents